Showing posts with label RUSSIAN HACKING. Show all posts
Showing posts with label RUSSIAN HACKING. Show all posts

December 17, 2020

U.S. Cyber Agency: Computer Hack Poses 'Grave Risk'

 NPR



The U.S. Cybersecurity and Infrastructure Security Agency on Thursday delivered an ominous warning about a major computer intrusion, saying it "poses a grave risk" to federal, state and local governments as well as private companies and organizations.

The Trump administration had said relatively little since the hack on government computers at multiple agencies was first announced last weekend.

But the CISA, which is part of the Department of Homeland Security, offered a broad overview in its latest comments. The agency noted the attack began around March and is still ongoing — meaning the malware that's been placed on computers may still be capturing valuable information.

In addition, CISA said that removing the malware will be "highly complex and challenging for organizations."

Russia's Foreign Intelligence Service, the SVR, is believed responsible, according to cybersecurity experts who cite the extremely sophisticated nature of the attack. But the Trump administration has not formally blamed Russia, and Russia has denied involvement.

"How could I prove that I'm innocent if I didn't do it. Let's sit together. Let's discuss. Let's restart our dialogue," Russian Ambassador Anatoly Antonov said Wednesday in a Zoom call from the Russian Embassy in Washington.

The Department of Homeland Security is one of several federal agencies that have been part of a hack that hinged on a vulnerability in SolarWinds' Orion network monitoring products.

Mandel Ngan/AFP via Getty Images

U.S. intelligence agencies have started briefing members of Congress, and Sen. Richard Blumenthal, a Connecticut Democrat, said the information clearly pointed to Cozy Bear, a hacking group widely considered to be Russian foreign intelligence.

"Russia's cyberattack left me deeply alarmed, in fact downright scared. Americans deserve to know what's going on," Blumenthal said in one of several tweets related to the hack.

Blumenthal said he will be pushing to make more information public.

So far, the list of affected U.S. government entities reportedly includes the Commerce Department, Department of Homeland Security, the Pentagon, the Treasury Department, the U.S. Postal Service and the National Institutes of Health.

Attention has focused on the breach of U.S. government networks, but the malware has also likely infected computers at thousands of private companies and organizations, according to government officials and cybersecurity experts.

The FBI, the Department of Homeland Security and the Office of the Director of National Intelligence announced Wednesday that they have now formed a special unified team, saying they will "coordinate a whole-of-government-response to this significant cyber incident."

President Trump has yet to make any public mention of the hack.

The hackers targeted software from SolarWinds, a company based in Austin, Texas. Many federal agencies and thousands of companies use SolarWinds' Orion software to monitor their computer networks.

CISA issued an Emergency Directive on Sunday, telling federal agencies "to immediately disconnect or power down affected SolarWinds Orion products from their network."

The incident is the latest in what has become a long list of suspected Russian electronic incursions into other nations – particularly the U.S. – under President Vladimir Putin. Multiple countries have previously accused Russia of using hackers, bots and other means in attempts to influence elections in the U.S. and elsewhere.

U.S. national security agencies made major efforts to prevent Russia from interfering in the 2020 election. But those same agencies seem to have been blindsided by the hackers who have had months to dig around inside U.S. government systems.

"It's as if you wake up one morning and suddenly realize that a burglar has been going in and out of your house for the last six months," said Glenn Gerstell, who was the National Security Agency's general counsel from 2015 to 2020.

Here's what we know about the attack:

Who was affected?

SolarWinds has some 300,000 customers, but it says "fewer than 18,000" installed the version of its Orion products that appears to have been compromised.

The victims include government, consulting, technology, telecom and other entities in North America, Europe, Asia and the Middle East, according to the security firm FireEye, which helped raise the alarm about the breach.

"We believe this is nation-state activity at significant scale, aimed at both the government and private sector," Microsoft said as it shared some details about what it called "the threat activity we've uncovered over the past weeks."

After studying the malware, FireEye said it believes the breaches were carefully targeted: "These compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction."

How did the hack work?

Hackers exploited the way software companies distribute updates, adding malware to the legitimate package. Security analysts say the malicious code gave hackers a "backdoor" — a foothold in their targets' computer networks — which they then used to gain elevated credentials.

SolarWinds traced the "supply chain" attack to updates for its Orion network products between March and June.

"After an initial dormant period of up to two weeks, it retrieves and executes commands, called 'Jobs,' that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services," FireEye said.

The malware was engineered to be very stealthy, operating in ways that would masquerade as normal activity, FireEye said. It added that the malicious software could also identify forensic and anti-virus tools that might threaten it. And it says the credentials it used to move within the system were "always different from those used for remote access."

After gaining access, Microsoft says, the intruder also made changes to ensure long-term access, by adding new credentials and using administrator privileges to grant itself more permissions.

FireEye is calling the "Trojanized" SolarWinds software Sunburst. It named another piece of malware – which it says had never been seen before — TEARDROP.

What are investigators doing now?

SolarWinds says it is cooperating with the FBI, the U.S. intelligence community and other investigating agencies to learn more about the malware and its effects. The company and security firms also say any affected agencies or customers should update to the latest software, to lessen their exposure to the vulnerability.

Describing some of the detective work that's now taking place, Gerstell said, "You'd have to go back and look at every room to see what was taken, what might have been touched. And of course, that's just a horrifying thought."

The intruders were careful to cover their tracks, he said.

"You couldn't tell that they came in, you couldn't tell that they left the back door open. You couldn't even tell necessarily when they came in, took a look around and when they left."

Microsoft has now taken control of the domain name that hackers used to communicate with systems that were compromised by the Orion update, according to security expert Brian Krebs. That access can help reveal the scope of the hack, he said.

The intrusion could simply be a case of espionage, he said, of one government trying to understand what its adversary is doing.

“The federal government has invested heavily in securing its myriad computers, especially since the extent of the devastating Chinese hack of the Office of Personnel Management was discovered in 2015, when more than 20 million federal employees and others had their personal information, including Social Security numbers, compromised. But this year’s months-long hack of federal networks, discovered in recent days, has revealed new weaknesses and underscored some previously known ones, including the federal government’s reliance on widely used commercial software that provides potential attack vectors for nation-state hackers. … The Russians reportedly found their way into federal systems by first hacking SolarWinds, 

  • SolarWinds was warned last year that anyone could access its update server by using the password “solarwinds123"“Multiple criminals have offered to sell access to SolarWinds’ computers through underground forums,” Reuters reports.
  • SolarWinds investors traded a suspiciously large $280 million in stock during the days before the hack was revealed, which sent the share price plunging more than 20 percent. “A former enforcement official at the U.S. Securities and Exchange Commission and an accounting expert both said the trades would likely spark an investigation by federal securities watchdogs into whether they amounted to insider trading,” Drew Harwell and Douglas MacMillan report.


Wide-ranging hack poses "a grave risk to the federal government"

After a week of alarming revelations, here’s what we know about a major hack targeting multiple US government agencies and at least one private company.

  • Reporting indicates that at least six federal departments — Defense, Commerce, Treasury, State, Homeland Security, and Energy — were breached in the attack, as was Microsoft. [Vox / Alex Ward]
  • More details are still emerging, but government officials have suggested that a Russian hacking group called Cozy Bear, which has been involved in several previous attacks in the US, is likely responsible. The group has ties to Russian intelligence. [Recode / Sara Morrison]
  • According to the New York Times, officials believe the goal of the attack was likely “traditional espionage” — but it’s possible the hackers could mount a far more damaging attack if they wanted to. [NYT / David E. Sanger and Nicole Perlroth]
  • The federal government has also warned that the attack, which appears to have been perpetrated using malware inserted into a network safety tool produced by the cybersecurity company SolarWinds, is “significant and ongoing.” [Guardian / Kari Paul]
  • Among other targets, portions of the National Nuclear Security Administration network appear to have been compromised in the attack, though officials say that no “mission essential national security functions” of the agency were affected. [Politico / Natasha Bertrand and Eric Wolff]
  • The hacking effort is believed to have begun in March, if not earlier, and there’s no easy way to repair the security breach: According to the federal Cybersecurity and Infrastructure Security Agency, “removing the threat actor from compromised environments will be highly complex and challenging.” [CNBC / Sam Shead]


January 21, 2020

Russians Hacked Ukrainian Gas Company at Center of Impeachment

A filing cabinet broken into in 1972 as part of the Watergate burglary sits beside a computer server that Russian hackers breached during the 2016 presidential campaign at the Democratic National Committee’s headquarters in Washington.
Credit...Justin T. Gellerson for The New York Times
With President Trump facing an impeachment trial over his efforts to pressure Ukraine to investigate former Vice President Joseph R. Biden Jr. and his son Hunter Biden, Russian military hackers have been boring into the Ukrainian gas company at the center of the affair, according to security experts.

The hacking attempts against Burisma, the Ukrainian gas company on whose board Hunter Biden served, began in early November, as talk of the Bidens, Ukraine and impeachment was dominating the news in the United States.

It is not yet clear what the hackers found, or precisely what they were searching for. But the experts say the timing and scale of the attacks suggest that the Russians could be searching for potentially embarrassing material on the Bidens — the same kind of information that Mr. Trump wanted from Ukraine when he pressed for an investigation of the Bidens and Burisma, setting off a chain of events that led to his impeachment.

The Russian tactics are strikingly similar to what American intelligence agencies say was Russia’s hacking of emails from Hillary Clinton’s campaign chairman and the Democratic National Committee during the 2016 presidential campaign. In that case, once they had the emails, the Russians used trolls to spread and spin the material, and built an echo chamber to widen its effect.

Then, as now, the Russian hackers from a military intelligence unit known formerly as the G.R.U., and to private researchers by the alias “Fancy Bear,” used so-called phishing emails that appear designed to steal usernames and passwords, according to Area 1, the Silicon Valley security firm that detected the hacking. In this instance, the hackers set up fake websites that mimicked sign-in pages of Burisma subsidiaries, and have been blasting Burisma employees with emails meant to look like they are coming from inside the company.© Paul Morigi/Getty Images for World Food Program USA Hunter Biden in 2016 with his father, then the vice president.

The hackers fooled some of them into handing over their login credentials, and managed to get inside one of Burisma’s servers, Area 1 said.

“The attacks were successful,” said Oren Falkowitz, a co-founder of Area 1, who previously served at the National Security Agency. Mr. Falkowitz’s firm maintains a network of sensors on web servers around the globe — many known to be used by state-sponsored hackers — which gives the firm a front-row seat to phishing attacks, and allows them to block attacks on their customers.

“The timing of the Russian campaign mirrors the G.R.U. hacks we saw in 2016 against the D.N.C. and John Podesta,” the Clinton campaign chairman, Mr. Falkowitz said. “Once again, they are stealing email credentials, in what we can only assume is a repeat of Russian interference in the last election.”

The Justice Department indicted seven officers from the same military intelligence unit in 2018.

The Russian attacks on Burisma appear to be running parallel to an effort by Russian spies in Ukraine to dig up information in the analog world that could embarrass the Bidens, according to an American security official, who spoke on the condition of anonymity to discuss sensitive intelligence. The spies, the official said, are trying to penetrate Burisma and working sources in the Ukrainian government in search of emails, financial records and legal documents.

The Russian government did not immediately respond to requests for comment, nor did Burisma.
While American election defenses have improved since 2016, many of the vulnerabilities exploited four years ago remain.
American officials are warning that the Russians have grown stealthier since 2016, and are again seeking to steal and spread damaging information and target vulnerable election systems ahead of the 2020 election.

[Read: Even as American election defenses have improved, Russian hackers and trolls have become more sophisticated.]

In the same vein, Russia has been working since the early days of Mr. Trump’s presidency to turn the focus away from its own election interference in 2016 by seeding conspiracy theories about Ukrainian meddling and Democratic complicity.

The result has been a muddy brew of conspiracy theories that mix facts, like the handful of Ukrainians who openly criticized Mr. Trump’s candidacy, with discredited claims that the D.N.C.’s email server is in Ukraine and that Mr. Biden, as vice president, had corrupt dealings with Ukrainian officials to protect his son. Spread by bots and trolls on social media, and by Russian intelligence officers, the claims resonated with Mr. Trump, who views talk of Russian interference as an attack on his legitimacy.

With Mr. Biden’s emergence as a front-runner for the Democratic nomination last spring, the president latched on to the corruption allegations, and asked that Ukraine investigate the Bidens on his July 25 call with President Volodymyr Zelensky of Ukraine. The call became central to Mr. Trump’s impeachment last month.

The Biden campaign sought to cast the Russian effort to hack Burisma as an indication of Mr. Biden’s political strength, and to highlight Mr. Trump’s apparent willingness to let foreign powers boost his political fortunes.

“Donald Trump tried to coerce Ukraine into lying about Joe Biden and a major bipartisan, international anti-corruption victory because he recognized that he can’t beat the vice president,” said Andrew Bates, a spokesman for the Biden campaign.

“Now we know that Vladimir Putin also sees Joe Biden as a threat,” Mr. Bates added. “Any American president who had not repeatedly encouraged foreign interventions of this kind would immediately condemn this attack on the sovereignty of our elections.”

The corruption allegations hinge on Hunter Biden’s work on the Burisma board. The company hired Mr. Biden while his father was vice president and leading the Obama administration’s Ukraine policy, including a successful push to have Ukraine’s top prosecutor fired for corruption. The effort was backed by European allies.

The story has since been recast by Mr. Trump and some of his staunchest defenders, who say Mr. Biden pushed out the prosecutor because Burisma was under investigation and his son could be implicated. Rudolph W. Giuliani, acting in what he says was his capacity as Mr. Trump’s personal lawyer, has personally taken up investigating the Bidens and Burisma, and now regularly claims to have uncovered clear-cut evidence of wrongdoing.

The evidence, though, has yet to emerge, and now the Russians appear to have joined the hunt.

Area 1 researchers discovered a G.R.U. phishing campaign on Ukrainian companies on New Year’s Eve. A week later, Area 1 determined what the Ukrainian targets had in common: They were all subsidiaries of Burisma Holdings, the company at the center of Mr. Trump’s impeachment. Among the Burisma subsidiaries phished were KUB-Gas, Aldea, Esko-Pivnich, Nadragas, Tehnocom-Service and Pari. The targets also included Kvartal 95, a Ukrainian television production company founded by Mr. Zelensky. The phishing attack on Kvartal 95 appears to have been aimed at digging up email correspondence for the company’s chief, Ivan Bakanov, whom Mr. Zelensky appointed as the head of Ukraine’s Security Service last June.

To steal employees’ credentials, the G.R.U. hackers directed Burisma to their fake login pages. Area 1 was able to trace the look-alike sites through a combination of internet service providers frequently used by G.R.U.’s hackers, rare web traffic patterns, and techniques that have been used in previous attacks against a slew of other victims, including the 2016 hack of the D.N.C. and a more recent Russian hack of the World Anti-Doping Agency.
Travis Tygart, chief executive of the United States Anti-Doping Agency, said his organization was among those targeted in a cyberattack.
Credit...Susan Walsh/Associated Press
“The Burisma hack is a cookie-cutter G.R.U. campaign,” Mr. Falkowitz said. “Russian hackers, as sophisticated as they are, also tend to be lazy. They use what works. And in this, they were successful.”